Step 5: Configure Group Policy Settings for Automatic Updates
Applies To: Windows Server 2012 R2, Windows Server 2012
In an Active Directory environment, you can use Group Policy to define how computers and users (referred to in this document as WSUS clients) can interact with Windows Updates to obtain automatic updates from Windows Server Update Services (WSUS).
This topic contains two main sections:
Group Policy settings for WSUS client updates, which provides prescriptive guidance and behavioral details about the Windows Update and Maintenance Scheduler settings of Group Policy that control how WSUS clients can interact with Windows Update to obtain automatic updates.
Supplemental information has the following sections: For administrators who are not already familiar with Group Policy, the first section provides an overview about the general use of Group Policy. The second section contains a table that summarizes the differences in the default verses manual installation of WSUS in current and previous version of WSUS. The third section contains a list and definitions about terminology used in this guide.
Accessing the Windows Update settings in Group Policy, which provides general guidance about using Group Policy Management Editor, and information about accessing the Update Services policy extensions and Maintenance Scheduler settings in Group Policy.
Changes to WSUS relevant to this guide: for administrators familiar with WSUS 3.2 and previous versions, this section gives a brief summary of key differences between the current and past version of WSUS relevant to this guide.
Terms and Definitions: definitions for various terms pertaining to WSUS and update services that are used in this guide.
Group Policy settings for WSUS client updates
This section provides information about three extensions of Group Policy. In these extensions you will find the settings that you can use to configure how WSUS clients can interact with Windows Update to receive automatic updates.
Note
This topic assumes that you already use and are familiar with Group Policy. If you are not familiar with Group Policy, it is advised that you review the information in the Supplemental information section of this document before attempting to configure policy settings for WSUS.
Computer Configuration > Windows Update policy settings
This section provides details about the following computer-based policy settings:
Allow signed updates from an intranet Microsoft update service location
Do not adjust default option to “Install Updates and Shut Down” in Shut Down Windows dialog
Do not display “Install updates and Shut Down” option in Shut Down Windows dialog
No auto-restart with logged on users for scheduled automatic updates installations
In the GPME, Windows Update policies for computer-based configuration are located in the path: PolicyName > Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
Note
By default, these settings are not configured.
Allow Automatic Updates immediate installation
Specifies whether Automatic Updates will automatically install updates that do not interrupt Windows services or restart Windows.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
If the “Configure Automatic Updates” policy setting is set to Disabled, this policy has no effect.
Policy setting state |
Behavior |
Not Configured |
Specifies that updates are not immediately installed. Local administrators can change this setting by using the Local Group Policy Editor. |
Enabled |
Specifies that Automatic Updates immediately installs updates after they are downloaded and ready to install. |
Disabled |
Specifies that updates are not immediately installed. |
Options: There are no options for this setting.
Allow non-administrators to receive update notifications
Specifies whether non-administrative users will receive update notifications based on the Configure Automatic Updates policy setting.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
See details in the table below. |
Note
If the “Configure Automatic Updates” policy setting is disabled or is not configured, this policy setting has no effect.
Important
Starting in Windows 8 and Windows RT, this policy setting is enabled by default. In all prior versions of Windows, it is disabled by default.
Note
Policy setting state
Options: There are no options for this setting.
Allow signed updates from an intranet Microsoft update service location
Specifies whether Automatic Updates accepts updates that are signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
Windows RT |
Note
Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft, and they are not affected by this policy setting.
Note
This policy is not supported on Windows RT. Enabling this policy will not have any effect on computers running Windows RT.
Options: There are no options for this setting.
Policy setting state |
Behavior |
Not Configured |
Specifies that updates from an intranet Microsoft update service location must be signed by Microsoft. |
Enabled |
Specifies that Automatic Updates accepts updates received through an intranet Microsoft update service location if they are signed by a certificate found in the local computer’s "Trusted Publishers" certificate store. |
Disabled |
Specifies that updates from an intranet Microsoft update service location must be signed by Microsoft. |
Options: There are no options for this setting.
Always automatically restart at the scheduled time
Specifies whether a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the sign-in screen for at least two days.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
If the "No auto-restart with logged on users for scheduled automatic updates installations" policy setting is enabled, this policy has no effect.
Policy setting state |
Behavior |
Not Configured |
Specifies that Windows Update will not alter the computer’s restart behavior. |
Enabled |
Specifies that a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the sign-in screen for at least two days. The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the computer has signed-in users. |
Disabled |
Specifies that Windows Update will not alter the computer’s restart behavior. |
Options: If this setting is enabled, you can specify the amount of time that will elapse after updates are installed before a forced computer restart occurs.
Automatic Updates detection frequency
Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20 hour detection frequency, all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
Windows RT |
Note
The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect. If “Configure Automatic Updates” policy setting is disabled, this policy has no effect.
Note
This policy is not supported on Windows RT. Enabling this policy will not have any effect on computers running Windows RT.
Policy setting state |
Behavior |
Not Configured |
Specifies that Windows will check for available updates at the default interval of 22 hours. |
Enabled |
Specifies that Windows will check for available updates at the specified interval. |
Disabled |
Specifies that Windows will check for available updates at the default interval of 22 hours. |
Options: If this setting is enabled, you can specify the time interval (in hours) that Windows Update waits before checking for updates.
Configure Automatic Updates
Specifies specify whether automatic updates are enabled on this computer.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
Windows RT |
If enabled, you must select one of the four options provided in this Group Policy setting.
To use this setting, select Enabled, and then in Options under Configure automatic updating, select one of the options (2, 3, 4, or 5).
Note
Policy setting state
Specifies whether local administrators are allowed to use the Automatic Updates control panel to select a configuration option of their choice—for example, whether local administrators can choose a scheduled installation time.
Local administrators will not be allowed to disable the configuration for Automatic Updates.
Disabled
Specifies that any client updates that are available from the public Windows Update service must be manually downloaded from the Internet and installed.
Delay Restart for scheduled installations
Specifies the amount of time Automatic Updates will wait before proceeding with a scheduled restart.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy setting is disabled, this policy has no effect.
Policy setting state |
Behavior |
Not Configured |
Specifies that after updates are installed, the default wait time of fifteen minutes will elapse before any scheduled restart occurs. |
Enabled |
Specifies that when the installation is finished, a scheduled restart will occur after the specified number of minutes has expired. |
Disabled |
Specifies that after updates are installed, the default wait time of fifteen minutes will elapse before any scheduled restart occurs. |
Options: If this setting is enabled, you can use this option to specify the amount of time (in minutes) Automatic Updates waits before proceeding with a scheduled restart.
Do not adjust default option to “Install Updates and Shut Down” in Shut Down Windows dialog
This policy setting enables you to specify whether the Install Updates and Shut Down option is permitted as the default choice in the Shut Down Windows dialog box.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
This policy setting has no impact if the PolicyName > Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Do not display ”Install Updates and Shut Down” option in Shut Down Windows dialog policy setting is enabled.
Policy setting state |
Behavior |
Not Configured |
Specifies that Install Updates and Shut Down will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option to shut down the computer. |
Enabled |
If you enable this policy setting, the user's last shut down choice (for example, Hibernate or Restart), is the default option in the Shut Down Windows dialog box, regardless of whether the Install Updates and Shut Down option is available in the What do you want the computer to do? menu. |
Disabled |
Specifies that Install Updates and Shut Down will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option to shut down the computer. |
Options: There are no options for this setting.
Do not connect to any Windows Update Internet locations
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update and other services, such as Microsoft Update or the Windows Store.
Enabling this policy will disable the functionality to periodically retrieve information from the public Windows Server Update Service, and it may cause connection to public services such as the Windows Store to stop working.
Supported on: |
Excluding: |
|---|---|
Starting with Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1, Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
This policy applies only when the computer is configured to connect to an intranet update service by using the "Specify intranet Microsoft update service location" policy setting.
Policy setting state |
Behavior |
Not Configured |
The default behavior to retrieve information from the public Windows Server Update Service persists. |
Enabled |
Specifies that computers will not retrieve information from the public Windows Server Update Service. |
Disabled |
The default behavior to retrieve information from the public Windows Server Update Service persists. |
Options: There are no options for this setting.
Do not display “Install updates and Shut Down” option in Shut Down Windows dialog
Specifies whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Policy setting state |
Behavior |
Not Configured |
Specifies that the Install Updates and Shut Down option is available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option to shut down the computer. A local administrator can change this setting by using local policy. |
Enabled |
Specifies that Install Updates and Shut Down will not appear as a choice in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the Shut Down option to shut down the computer. |
Disabled |
Specifies that the Install Updates and Shut Down option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option to shut down the computer. |
Options: There are no options for this setting.
Enable client-side targeting
Specifies the target group name or names that are configured in the WSUS console that are to receive updates from WSUS.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
Windows RT |
Note
This policy applies only when this computer is configured to support the specified target group names in WSUS. If the target group name doesn’t exist in WSUS, it will be ignored until it is created. If the "Specify intranet Microsoft update service location" policy setting is disabled or not configured, this policy has no effect.
Note
This policy is not supported on Windows RT. Enabling this policy will not have any effect on computers running Windows RT.
Policy setting state |
Behavior |
Not Configured |
Specifies that no target group information is sent to WSUS. A local administrator can change this setting by using a local policy. |
Enabled |
Specifies that the specified target group information is sent to WSUS, which uses it to determine which updates should be deployed to this computer. If WSUS supports multiple target groups, you can use this policy to specify multiple group names, separated by semicolons, if you have added the target group names in the Computer group list in WSUS. Otherwise, a single group must be specified. |
Disabled |
Specifies that no target group information is sent to WSUS. |
Options: Use this space to specify one or more target group names.
Enabling Windows Update Power Management to automatically wake up the computer to install scheduled updates
Specifies whether Windows Update will use the Windows Power Management or Power Options features to automatically wake up the computer from hibernation if there are updates scheduled for installation.
The computer will automatically wake only if Windows Update is configured to install updates automatically. If the computer is in hibernation when the scheduled installation time occurs and there are updates to be applied, Windows Update will use the Windows Power Management or Power Options features to automatically wake the computer to install the updates. Windows Update will also wake the computer and install an update if an installation deadline occurs.
The computer will not wake unless there are updates to be installed. If the computer is on battery power, when Windows Update wakes it, it will not install updates and the computer will automatically return to hibernation in two minutes.
Supported on: |
Excluding: |
|---|---|
Starting with Windows Vista and Windows Server 2008 (Windows 7), Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Policy setting state |
Behavior |
Not Configured |
Windows Update does not wake the computer from hibernation to install updates. A local administrator can change this setting by using a local policy. |
Enabled |
Windows Update wakes the computer from hibernation to install updates under the previously listed conditions. |
Disabled |
Windows Update does not wake the computer from hibernation to install updates. |
Options: There are no options for this setting.
No auto-restart with logged on users for scheduled automatic updates installations
Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is signed in, instead of causing the computer to restart automatically.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy setting is disabled, this policy has no effect.
Policy setting state |
Behavior |
Not Configured |
Specifies that Automatic Updates will notify the user that the computer will automatically restart in five minutes to complete the installation. |
Enabled |
Some updates require the computer to be restarted before the updates will take effect. If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is signed in to the computer. Instead, Automatic Updates will notify the user to restart the computer. |
Disabled |
Specifies that Automatic Updates will notify the user that the computer will automatically restart in five minutes to complete the installation. |
Options: There are no options for this setting.
Re-prompt for restart with scheduled installations
Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
Windows RT |
Important
This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy setting is disabled, this policy has no effect.
Note
This policy has no effect on computers running Windows RT.
Policy setting state |
Behavior |
Not Configured |
A scheduled restart occurs ten minutes after the prompt for restart message is dismissed. A local administrator can change this setting by using a local policy. |
Enabled |
Specifies that after the previous prompt for restart was postponed, a scheduled restart will occur after the specified number of minutes elapses. |
Disabled |
A scheduled restart occurs ten minutes after the prompt for restart message is dismissed. |
Options: When enabled, you can use this setting option to specify (in minutes) the duration of time that will elapse before users are prompted again about a scheduled restart.
Reschedule Automatic Updates scheduled installations
Specifies the amount of time for Automatic Updates to wait following a computer startup, before proceeding with a scheduled installation that was previously missed.
If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy setting is disabled, this policy has no effect.
Policy setting state |
Behavior |
Not Configured |
Specifies that a missed scheduled installation will occur one minute after the computer is next started. |
Enabled |
Specifies that a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started. |
Disabled |
Specifies that a missed scheduled installation will occur with the next scheduled installation. |
Options: When this policy setting is enabled, you can use it to specify a number of minutes after the computer is next started, that a scheduled installation that did not take place earlier will occur.
Specify intranet Microsoft update service location
Specifies an intranet server to host updates from Microsoft Update. You can then use WSUS to automatically update computers on your network.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
Windows RT. |
This setting enables you to specify a WSUS server on your network that will function as an internal update service. Instead of using Microsoft Updates on the Internet, WSUS clients will search this service for updates that apply.
To use this setting, you must set two server name values: the server from which the client detects and downloads updates, and the server to which updated workstations upload statistics. The values need not be different if both services are configured on the same server.
Note
If the “Configure Automatic Updates” policy setting is disabled, this policy has no effect.
Note
This policy is not supported on Windows RT. Enabling this policy will not have any effect on computers running Windows RT.
Policy setting state |
Behavior |
Not Configured |
If Automatic Updates is not disabled by policy or user preference, this policy specifies that clients connect directly to the Windows Update site on the Internet. |
Enabled |
Specifies that the client connects to the specified WSUS server, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization do not have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them. |
Disabled |
If Automatic Updates is not disabled by policy or user preference, this policy specifies that clients connect directly to the Windows Update site on the Internet. |
Options: When this policy setting is enabled, you must specify the intranet update service that WSUS clients will use when detecting updates, and the Internet statistics server to which updated WSUS clients will upload statistics. Example values:
Setting option: |
Example value: |
|---|---|
Set the intranet update service for detecting updates |
https://wsus01:8530 |
Set the intranet statistics server |
https://IntranetUpd01 |
Turn on recommended updates via Automatic Updates
Specifies whether Automatic Updates will deliver important and recommended updates from WSUS.
Supported on: |
Excluding: |
|---|---|
Starting with Windows Vista, Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Policy setting state |
Behavior |
Not Configured |
Specifies that Automatic Updates will continue to deliver important updates if it is already configured to do so. |
Enabled |
Specifies that Automatic Updates will install recommended updates and important updates from WSUS. |
Disabled |
Specifies that Automatic Updates will continue to deliver important updates if it is already configured to do so. |
Options: There are no options for this setting.
Turn on Software Notifications
This policy setting enables you to control whether users see detailed enhanced notification messages about featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installation and use of optional software. This policy setting is intended for use in loosely managed environments in which you allow the end user access to the Microsoft Update service.
If you are not using the Microsoft Update service, the “Software Notifications” policy setting has no effect.
If the “Configure Automatic Updates” policy setting is disabled or is not configured, the “Software Notifications” policy setting has no effect.
Supported on: |
Excluding: |
|---|---|
Starting with Windows Server 2008 (Windows Vista) and Windows 7, Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
By default, this policy setting is disabled.
Policy setting state |
Behavior |
Not Configured |
Users on computers that are running Windows 7 are not offered messages for optional applications. Users on computers that are running Windows Vista are not offered messages for optional applications or updates. A local administrator can change this setting by using Control Panel or a local policy. |
Enabled |
If you enable this policy setting, a notification message will appear on the user's computer when featured software is available. The user can click the notification to open Windows Update and get more information about the software or install it. The user can also click Close this message or Show me later to defer the notification as appropriate. In Windows 7, this policy setting will only control detailed notifications for optional applications. In Windows Vista, this policy setting controls detailed notifications for optional applications and updates. |
Disabled |
Specifies that users running Windows 7 will not be offered detailed notification messages for optional applications, and users running Windows Vista will not be offered detailed notification messages for optional applications or optional updates. |
Options: There are no options for this setting.
Computer Configuration > Maintenance Scheduler policy settings
In the Configure Automatic Updates setting, you selected the option 4 – Auto download and schedule the install, you can specify schedule Maintenance Scheduler settings in the GPMC for computers running Windows 8 and Windows RT. If you did not select option 4 in the “Configure Automatic Updates” setting, you do not need to configure these settings for the purpose of automatic updates. Maintenance Scheduler settings are located in the path: PolicyName > Computer Configuration > Policies > Administrative Templates > Windows Components > Maintenance Scheduler. The Maintenance Scheduler extension of Group Policy contains the following settings:
Automatic Maintenance Activation Boundary
This policy enables you to configure the “Automatic Maintenance activation boundary” setting.
The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
This setting is related to option 4 in Configure Automatic Updates. If you did not select option 4 in Configure Automatic Updates, it is not necessary to configure this setting.
Policy setting state |
Behavior |
Not Configured |
If this policy setting is not configured, the daily scheduled time as specified on client computers in the Action Center > Automatic Maintenance Control Panel will apply. |
Enabled |
Enabling this policy setting overrides any default or modified settings configured on client computers in Control Panel > Action Center > Automatic Maintenance (or in some client versions, Maintenance). |
Disabled |
If you set this policy setting to Disabled, the daily scheduled time as specified in the Action Center > Automatic Maintenance, in the Control Panel will apply. |
Automatic Maintenance Random Delay
This policy setting allows you to configure the Automatic Maintenance activation random delay.
The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its activation boundary. This setting is useful for virtual machines where random maintenance might be a performance requirement.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
This setting is related to option 4 in Configure Automatic Updates. If you did not select option 4 in Configure Automatic Updates, it is not necessary to configure this setting.
By default, when enabled, the regular maintenance random delay is set to PT4H.
Policy setting state |
Behavior |
Not Configured |
A four-hour random delay is applied to Automatic. |
Enabled |
Automatic Maintenance will delay starting from its activation boundary by up to the specified amount of time. |
Disabled |
No random delay is applied to Automatic Maintenance. |
Automatic WakeUp Policy
This policy setting allows you to configure the Automatic Maintenance wake-up policy.
The maintenance wake-up policy specifies whether Automatic Maintenance should make a wake-up request to the operating computer for daily scheduled maintenance.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
If the operating computer’s power-wake policy is explicitly disabled, this setting has no effect.
Note
This setting is related to option 4 in Configure Automatic Updates. If you did not select option 4 in Configure Automatic Updates, it is not necessary to configure this setting.
Policy setting state |
Behavior |
Not Configured |
If you do not configure this policy setting, the wake-up setting as specified in the Action Center > Automatic Maintenance Control Panel will apply. |
Enabled |
If you enable this policy setting, Automatic Maintenance will attempt to set an operating system wake-up policy and make a wake-up request for the daily scheduled time, if required. |
Disabled |
If you disable this policy setting, the wake-up setting as specified in the Action Center > Automatic Maintenance Control Panel will apply. |
User Configuration > Windows Update policy settings
This section provides details about the following user-based policy settings:
Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box
Do not adjust default option to “Install Updates and Shut Down” in Shut Down Windows dialog box
In the GPMC, the user settings for automatic computer updates are located in the path: PolicyName > User Configuration > Policies > Administrative Templates > Windows Components > Windows Update. The settings are listed in the same order as they appear in the Computer Configuration and User Configuration extensions in Group Policy, when the Settings tab of the Windows Update policy is selected to sort the settings alphabetically.
Note
By default, unless otherwise noted, these settings are not configured.
Tip
For each of these settings, you can use the following steps to enable, disable, or navigate between settings:
Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box
Specifies whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Policy setting state |
Behavior |
Not Configured |
Specifies that the Install Updates and Shut Down option will appear in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option to shut down the computer. |
Enabled |
If you enable this policy setting, Install Updates and Shut Down will not appear as a choice in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the Shut Down option to shut down the computer. |
Disabled |
Specifies that the Install Updates and Shut Down option will appear in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option to shut down the computer. |
Options: There are no options for this setting.
Do not adjust default option to “Install Updates and Shut Down” in Shut Down Windows dialog box
Specifies whether the Install Updates and Shut Down option is allowed as the default choice in the Shut Down Windows dialog box.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Note
This policy setting has no impact if the PolicyName > User Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Do not display “Install Updates and Shut Down” option in Shut Down Windows dialog box is enabled.
Policy setting state |
Behavior |
Not Configured |
Specifies whether the Install Updates and Shut Down option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option to shut down the computer. |
Enabled |
Specifies whether the user's last shut down choice (for example, Hibernate or Restart) is the default option in the Shut Down Windows dialog box, regardless of whether the Install Updates and Shut Down option is available in the What do you want the computer to do? menu. |
Disabled |
Specifies whether the Install Updates and Shut Down option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Down option to shut down the computer. |
Options: There are no options for this setting.
Remove access to use all Windows Update features
This setting enables you to remove WSUS client access to Windows Update.
Supported on: |
Excluding: |
|---|---|
Windows operating systems that are still within their Microsoft Products Support Lifecycle. |
null |
Important
Policy setting state
When enabled, you can configure one of the following notification options:
0 - Do not show any notifications
This setting will remove all access to Windows Update features and no notifications will be shown.
1 - Show restart required notifications
This setting will show notifications about restarts that are required to complete an installation.
Note
On computers running Windows 8 and Windows RT, if this policy is enabled, only notifications related to restarts and the inability to detect updates will be shown. The notification options are not supported. Notifications on the sign-in screen are always displayed.
Disabled
Users are able to connect to the Windows Update website.
Options: See Enabled in the table for this setting.
Supplemental information
This section provides addition information about using opening, and saving WSUS settings in Group Policies, and definitions for terms used in this guide. For administrators familiar with past versions of WSUS (WSUS 3.2 and previous versions), there is a table that briefly summarizes differences between WSUS versions.
Accessing the Windows Update settings in Group Policy
The procedure that follows describes how to open the GPMC on your domain controller. The procedure then describes how to either open an existing domain-level Group Policy Object (GPO) for editing, or create a new domain-level GPO and open it for editing.
Note
You must be a member of the Domain Admins group or equivalent, to perform this procedure.
To open or add and open a Group Policy Object
On your domain controller, go to Server Manager, > Tools, > Group Policy Management. The Group Policy Management Console opens.
In the left pane, expand your forest. For example, double-click Forest: example.com.
In the left pane, double-click Domains, and then double-click the domain for which you want to manage a Group Policy object. For example, double-click example.com.
Do one of the following:
To open an existing domain-level GPO for editing, double click the domain that contains the Group Policy object that you want to manage, right-click the domain policy you want to manage, and then click Edit. Group Policy Management Editor (GPME) opens.
To create a new Group Policy object and open for editing:
-
Right-click the domain for which you want to create a new Group Policy object, and then click Create a GPO in this domain, and Link it here.
In New GPO, in Name, type a name for the new Group Policy object, and then click OK.
Right-click your new Group Policy object, and then click Edit. GPME opens.
To open the Windows Update or Maintenance Scheduler extensions of Group Policy
In Group Policy Management Editor, do one of the following:
Open the Computer Configuration > Windows Update extension of Group Policy. Navigate to: PolicyName > Computer Configuration > Policies / Administrative Templates > Windows Components > Windows Update.
Open the User Configuration > Windows Update extension of Group Policy. Navigate to: PolicyName > User Configuration > Policies > Administrative Templates > Windows Components > Windows Update.
Open the Computer Configuration > Maintenance Scheduler extension of Group Policy. In GPOE, navigate to PolicyName > Computer Configuration > Policies > Administrative Templates > Windows Components > Maintenance Scheduler.
For more information about the Group Policy, see Group Policy Overview.
Tip
After you have opened the extension of Group Policy you want, you can use the following steps to enable, disable, or navigate between settings:
To configure Group Policy settings
In ExtensionOfGroupPolicy, double-click the setting you want to view or modify.
To configure the setting, do one of the following:
To retain the default unspecified state of the setting, select Not Configured
To enable the setting, select Enabled
To disable the setting, select Disabled.
In Options, if any options are listed, retain the default values or modify them as needed.
Do one of the following:
To save your changes and proceed to the next setting, click Apply, and then click Next Setting.
To save your changes and close the dialog box, click OK.
To discard all unsaved changes and close the dialog box, click Cancel.
Changes to WSUS relevant to this guide
The following table summarizes key differences between the current and past versions of WSUS that are relevant to this guide.
Windows Server and WSUS versions |
Description |
|---|---|
Windows Server 2012 R2 with WSUS 6.0, and subsequent versions |
Starting in Windows Server 2012, the WSUS server role is integrated with the operating system, and the associated Group Policy settings for WSUS clients are, by default, included in Group Policy. |
Windows Server 2008 (and earlier versions of Windows Server) with WSUS 3.2 and earlier |
In Windows Server 2008 (and earlier versions of Windows Server) using WSUS versions 3.2 (and earlier), the Group Policy settings that govern WSUS clients are not included in these Windows Server operating systems. The policy settings are in the WSUS Administrative template, wuau.adm. In these server versions, the WSUS Administrative template must first be added into the Group Policy Management Console (GPMC) before the WSUS client settings can be configured. |
Terms and Definitions
Following is a list of terms used in this guide.
Term |
Definition |
|---|---|
Automatic Updates |
A service that runs on Windows computers (Automatic Updates): Refers to the client computer component built into the Microsoft Windows Vista, Windows Server 2003, Windows XP, and Windows 2000 with SP3 operating systems to get updates from Microsoft Update or Windows Update. Casual reference (automatic updates): The term used to describe when the Windows Update Agent automatically schedules and downloads updates. |
autonomous server |
Use to refer to a downstream Windows Server Update Services (WSUS) server on which administrators can manage WSUS components. |
downstream server |
Use to refer to a Windows Server Update Services (WSUS) server that gets updates from another WSUS server rather than from Microsoft Update or Windows Update. |
Group Policy extension (and: extension of Group Policy |
A collection of settings in Group Policy that are used to control how users and computers (to whom the policies apply) can configure and use various Windows services and features. Administrators can use WSUS with Group Policy for client-side configuration of the Automatic Updates client, to help ensure that end-users can't disable or circumvent corporate update policies. WSUS does not require the use of Active Directory or Group Policy. Client configuration can also be applied by using local group policy or by modifying the Windows registry. |
internal update service |
A casual reference to a network infrastructure that uses one or more WSUS servers to distribute updates. |
replica server |
Use to refer to a downstream Windows Server Update Services (WSUS) server that mirrors the approvals and settings on the upstream server to which it is connected. You cannot manage WSUS on a replica server. |
Microsoft Update |
An Internet-based Microsoft download site: A Microsoft Internet site that stores and distributes updates for Windows computers (device drivers), Windows operating systems and other Microsoft software products. |
Software Update Services (SUS) |
SUS was the predecessor product for Windows Server Update Services (WSUS). |
updates |
Any of a collection of software revisions, hotfixes, service packs, feature packs and device drivers that can be installed on a computer to extend functionality, or improve performance and security. |
update files |
The files required to install an update on a computer. |
update information (also known as update metadata) |
The information about an update, as opposed to the update binary files in an update package. For example, metadata supplies information for the properties of an update, thus enabling you to find out for what the update is useful. Metadata also includes Microsoft Software License Terms. The metadata package downloaded for an update is typically much smaller than the actual update file package. |
update source |
The location to which a Windows Server Update Services (WSUS) server synchronizes to get update files. This location can be either Microsoft Update or an upstream WSUS server. |
upstream server |
A Windows Server Update Services (WSUS) server that provides update files to another WSUS server, which in turn is referred to as a downstream server. |
Windows Server Update Services (WSUS) |
A Server Role program that runs on one or more Windows Server computers on a corporate network. A WSUS infrastructure enables you to manage updates for computers on your network to install. You can use WSUS to approve or decline updates before release, to force updates to install by a given date, and to obtain extensive reports on what updates each computer on your network requires. You can configure WSUS to approve certain classes of updates automatically (critical updates, security updates, service packs, drivers, etc.). WSUS also enables you to approve updates for "detection" only, so that you can see what computers will require a given update without having to install the updates. In a WSUS implementation, at least one WSUS server in the network must be able to connect to Microsoft Update to get available updates. Based on network security and configuration, the administrator can determine how many other servers connect directly to Microsoft Update. You can configure a WSUS server to get updates over the Internet from such places as:
|
Windows Update |
An Internet-based Microsoft download site: A Microsoft Internet site that stores and distributes updates for Windows computers (device drivers), and Windows operating systems. Computer service: The name of the Windows Update service that runs on computers. Windows Update detects, downloads, and installs updates on Windows computers. Depending on computer and policy configurations, the Windows Update Agent can download updates from:
Computers that are not managed in a WSUS-based environment will typically use Windows Update to connect directly - over the Internet - to Windows Update, Microsoft Update, or the Windows Store to obtain updates. |
WSUS Client |
A computer that receives updates from a WSUS intranet update service. In the case of Group Policy settings that control end-user interaction with Automatic Updates: a user of a computer in a WSUS environment. |